Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/auditreduce/token.c
+++ new/usr/src/cmd/auditreduce/token.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + *
24 25 * Copyright 2012 Milan Jurik. All rights reserved.
26 + * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
25 27 */
26 28
27 29
28 30 /*
29 31 * Token processing for auditreduce.
30 32 */
31 33
32 34 #include <locale.h>
33 35 #include <sys/zone.h>
34 36 #include "auditr.h"
35 37 #include "toktable.h"
36 38
37 39 extern int re_exec2(char *);
38 40
39 41 static void anchor_path(char *path);
40 42 static char *collapse_path(char *s);
41 43 static void get_string(adr_t *adr, char **p);
42 44 static int ipc_type_match(int flag, char type);
43 45 static void skip_string(adr_t *adr);
44 46 static int xgeneric(adr_t *adr);
45 47
46 48 #if AUDIT_REC
47 49 void
48 50 print_id(int id)
49 51 {
50 52 char *suffix;
51 53
52 54 if ((id < 0) || (id > MAXTOKEN) ||
53 55 (tokentable[id].func == NOFUNC)) {
54 56 (void) fprintf(stderr,
55 57 "token_processing: token %d not found\n", id);
56 58 return;
57 59 }
58 60
59 61 switch (id) {
60 62 case AUT_NEWGROUPS:
61 63 suffix = "_new";
62 64 break;
63 65 case AUT_ATTR32:
64 66 suffix = "32";
65 67 break;
66 68 case AUT_ARG64:
67 69 case AUT_RETURN64:
68 70 case AUT_ATTR64:
69 71 case AUT_HEADER64:
70 72 case AUT_SUBJECT64:
71 73 case AUT_PROCESS64:
72 74 case AUT_OTHER_FILE64:
73 75 suffix = "64";
74 76 break;
75 77 case AUT_SOCKET_EX:
76 78 case AUT_IN_ADDR_EX:
77 79 suffix = "_ex";
78 80 break;
79 81 case AUT_HEADER32_EX:
80 82 case AUT_SUBJECT32_EX:
81 83 case AUT_PROCESS32_EX:
82 84 suffix = "32_ex";
83 85 break;
84 86 case AUT_HEADER64_EX:
85 87 case AUT_SUBJECT64_EX:
86 88 case AUT_PROCESS64_EX:
87 89 suffix = "64_ex";
88 90 break;
89 91 default:
90 92 suffix = "";
91 93 break;
92 94 }
93 95 (void) fprintf(stderr, "token_processing: %s%s\n",
94 96 tokentable[id].t_name, suffix);
95 97 }
96 98 #endif /* AUDIT_REC */
97 99
98 100 /*
99 101 * Process a token in a record to determine whether the record is interesting.
100 102 */
101 103
102 104 int
103 105 token_processing(adr_t *adr, int tokenid)
104 106 {
105 107 if ((tokenid > 0) && (tokenid <= MAXTOKEN) &&
106 108 (tokentable[tokenid].func != NOFUNC)) {
107 109 #if AUDIT_REC
108 110 print_id(tokenid);
109 111 #endif /* AUDIT_REC */
110 112 return ((*tokentable[tokenid].func)(adr));
111 113 }
112 114
113 115 /* here if token id is not in table */
114 116 return (-2);
115 117 }
116 118
117 119
118 120 /* There should not be any file or header tokens in the middle of a record */
119 121
120 122 /* ARGSUSED */
121 123 int
122 124 file_token(adr_t *adr)
123 125 {
124 126 return (-2);
125 127 }
126 128
127 129 /* ARGSUSED */
128 130 int
129 131 file64_token(adr_t *adr)
130 132 {
131 133 return (-2);
132 134 }
133 135
134 136 /* ARGSUSED */
135 137 int
136 138 header_token(adr_t *adr)
137 139 {
138 140 return (-2);
139 141 }
140 142
141 143 /* ARGSUSED */
142 144 int
143 145 header32_ex_token(adr_t *adr)
144 146 {
145 147 return (-2);
146 148 }
147 149
148 150 /* ARGSUSED */
149 151 int
150 152 header64_ex_token(adr_t *adr)
151 153 {
152 154 return (-2);
153 155 }
154 156
155 157 /* ARGSUSED */
156 158 int
157 159 header64_token(adr_t *adr)
158 160 {
159 161 return (-2);
160 162 }
161 163
162 164
163 165 /*
164 166 * ======================================================
165 167 * The following token processing routines return
166 168 * -1: if the record is not interesting
167 169 * -2: if an error is found
168 170 * ======================================================
169 171 */
170 172
171 173 int
172 174 trailer_token(adr_t *adr)
173 175 {
174 176 short magic_number;
175 177 uint32_t bytes;
176 178
177 179 adrm_u_short(adr, (ushort_t *)&magic_number, 1);
178 180 if (magic_number != AUT_TRAILER_MAGIC) {
179 181 (void) fprintf(stderr, "%s\n",
180 182 gettext("auditreduce: Bad trailer token"));
181 183 return (-2);
182 184 }
183 185 adrm_u_int32(adr, &bytes, 1);
184 186
185 187 return (-1);
186 188 }
187 189
188 190
189 191 /*
190 192 * Format of arbitrary data token:
191 193 * arbitrary data token id adr char
192 194 * how to print adr_char
193 195 * basic unit adr_char
194 196 * unit count adr_char, specifying number of units of
195 197 * data items depends on basic unit
196 198 */
197 199 int
198 200 arbitrary_data_token(adr_t *adr)
199 201 {
200 202 int i;
201 203 char c1;
202 204 short c2;
203 205 int32_t c3;
204 206 int64_t c4;
205 207 char how_to_print, basic_unit, unit_count;
206 208
207 209 /* get how_to_print, basic_unit, and unit_count */
208 210 adrm_char(adr, &how_to_print, 1);
209 211 adrm_char(adr, &basic_unit, 1);
210 212 adrm_char(adr, &unit_count, 1);
211 213 for (i = 0; i < unit_count; i++) {
212 214 switch (basic_unit) {
213 215 /* case AUR_BYTE: has same value as AUR_CHAR */
214 216 case AUR_CHAR:
215 217 adrm_char(adr, &c1, 1);
216 218 break;
217 219 case AUR_SHORT:
218 220 adrm_short(adr, &c2, 1);
219 221 break;
220 222 case AUR_INT32:
221 223 adrm_int32(adr, (int32_t *)&c3, 1);
222 224 break;
223 225 case AUR_INT64:
224 226 adrm_int64(adr, (int64_t *)&c4, 1);
225 227 break;
226 228 default:
227 229 return (-2);
228 230 }
229 231 }
230 232 return (-1);
231 233 }
232 234
233 235
234 236 /*
235 237 * Format of opaque token:
236 238 * opaque token id adr_char
237 239 * size adr_short
238 240 * data adr_char, size times
239 241 */
240 242 int
241 243 opaque_token(adr_t *adr)
242 244 {
243 245 skip_string(adr);
244 246 return (-1);
245 247 }
246 248
247 249
248 250
249 251 /*
250 252 * Format of return32 value token:
251 253 * return value token id adr_char
252 254 * error number adr_char
253 255 * return value adr_u_int32
254 256 */
255 257 int
256 258 return_value32_token(adr_t *adr)
257 259 {
258 260 char errnum;
259 261 uint32_t value;
260 262
261 263 adrm_char(adr, &errnum, 1);
262 264 adrm_u_int32(adr, &value, 1);
263 265 if ((flags & M_SORF) &&
264 266 ((global_class & mask.am_success) && (errnum == 0)) ||
265 267 ((global_class & mask.am_failure) && (errnum != 0))) {
266 268 checkflags |= M_SORF;
267 269 }
268 270 return (-1);
269 271 }
270 272
271 273 /*
272 274 * Format of return64 value token:
273 275 * return value token id adr_char
274 276 * error number adr_char
275 277 * return value adr_u_int64
276 278 */
277 279 int
278 280 return_value64_token(adr_t *adr)
279 281 {
280 282 char errnum;
281 283 uint64_t value;
282 284
283 285 adrm_char(adr, &errnum, 1);
284 286 adrm_u_int64(adr, &value, 1);
285 287 if ((flags & M_SORF) &&
286 288 ((global_class & mask.am_success) && (errnum == 0)) ||
287 289 ((global_class & mask.am_failure) && (errnum != 0))) {
288 290 checkflags |= M_SORF;
289 291 }
290 292 return (-1);
291 293 }
292 294
293 295
294 296 /*
295 297 * Format of sequence token:
296 298 * sequence token id adr_char
297 299 * audit_count int32_t
298 300 */
299 301 int
300 302 sequence_token(adr_t *adr)
301 303 {
302 304 int32_t audit_count;
303 305
304 306 adrm_int32(adr, &audit_count, 1);
305 307 return (-1);
306 308 }
307 309
308 310
309 311 /*
310 312 * Format of text token:
311 313 * text token id adr_char
312 314 * text adr_string
313 315 */
314 316 int
315 317 text_token(adr_t *adr)
316 318 {
317 319 skip_string(adr);
318 320 return (-1);
319 321 }
320 322
321 323
322 324 /*
323 325 * Format of ip_addr token:
324 326 * ip token id adr_char
325 327 * address adr_int32
326 328 */
327 329 int
328 330 ip_addr_token(adr_t *adr)
329 331 {
330 332 int32_t address;
331 333
332 334 adrm_char(adr, (char *)&address, 4);
333 335
334 336 return (-1);
335 337 }
336 338
337 339 /*
338 340 * Format of ip_addr_ex token:
339 341 * ip token id adr_char
340 342 * ip type adr_int32
341 343 * ip address adr_u_char*type
342 344 */
343 345 int
344 346 ip_addr_ex_token(adr_t *adr)
345 347 {
346 348 int32_t type;
347 349 uchar_t address[16];
348 350
349 351 adrm_int32(adr, (int32_t *)&type, 1);
350 352 adrm_u_char(adr, address, type);
351 353
352 354 return (-1);
353 355 }
354 356
355 357 /*
356 358 * Format of ip token:
357 359 * ip header token id adr_char
358 360 * version adr_char
359 361 * type of service adr_char
360 362 * length adr_short
361 363 * id adr_u_short
362 364 * offset adr_u_short
363 365 * ttl adr_char
364 366 * protocol adr_char
365 367 * checksum adr_u_short
366 368 * source address adr_int32
367 369 * destination address adr_int32
368 370 */
369 371 int
370 372 ip_token(adr_t *adr)
371 373 {
372 374 char version;
373 375 char type;
374 376 short len;
375 377 unsigned short id, offset, checksum;
376 378 char ttl, protocol;
377 379 int32_t src, dest;
378 380
379 381 adrm_char(adr, &version, 1);
380 382 adrm_char(adr, &type, 1);
381 383 adrm_short(adr, &len, 1);
382 384 adrm_u_short(adr, &id, 1);
383 385 adrm_u_short(adr, &offset, 1);
384 386 adrm_char(adr, &ttl, 1);
385 387 adrm_char(adr, &protocol, 1);
386 388 adrm_u_short(adr, &checksum, 1);
387 389 adrm_char(adr, (char *)&src, 4);
388 390 adrm_char(adr, (char *)&dest, 4);
389 391
390 392 return (-1);
391 393 }
392 394
393 395
394 396 /*
395 397 * Format of iport token:
396 398 * ip port address token id adr_char
397 399 * port address adr_short
398 400 */
399 401 int
400 402 iport_token(adr_t *adr)
401 403 {
402 404 short address;
403 405
404 406 adrm_short(adr, &address, 1);
405 407
406 408 return (-1);
407 409 }
408 410
409 411
410 412 /*
411 413 * Format of groups token:
412 414 * group token id adr_char
413 415 * group list adr_int32, 16 times
414 416 */
415 417 int
416 418 group_token(adr_t *adr)
417 419 {
418 420 int gid[16];
419 421 int i;
420 422 int flag = 0;
421 423
422 424 for (i = 0; i < 16; i++) {
423 425 adrm_int32(adr, (int32_t *)&gid[i], 1);
424 426 if (flags & M_GROUPR) {
425 427 if ((unsigned short)m_groupr == gid[i])
426 428 flag = 1;
427 429 }
428 430 }
429 431
430 432 if (flags & M_GROUPR) {
431 433 if (flag)
432 434 checkflags |= M_GROUPR;
433 435 }
434 436 return (-1);
435 437 }
436 438
437 439 /*
438 440 * Format of newgroups token:
439 441 * group token id adr_char
440 442 * number of groups adr_short
441 443 * group list adr_int32, "number" times
442 444 */
443 445 int
444 446 newgroup_token(adr_t *adr)
445 447 {
446 448 gid_t gid;
447 449 int i;
448 450 short int number;
449 451
450 452 adrm_short(adr, &number, 1);
451 453
452 454 for (i = 0; i < number; i++) {
453 455 adrm_int32(adr, (int32_t *)&gid, 1);
454 456 if (flags & M_GROUPR) {
455 457 if (m_groupr == gid)
456 458 checkflags |= M_GROUPR;
457 459 }
458 460 }
459 461
460 462 return (-1);
461 463 }
462 464
463 465 /*
464 466 * Format of argument32 token:
465 467 * argument token id adr_char
466 468 * argument number adr_char
467 469 * argument value adr_int32
468 470 * argument description adr_string
469 471 */
470 472 int
471 473 argument32_token(adr_t *adr)
472 474 {
473 475 char arg_num;
474 476 int32_t arg_val;
475 477
476 478 adrm_char(adr, &arg_num, 1);
477 479 adrm_int32(adr, &arg_val, 1);
478 480 skip_string(adr);
479 481
480 482 return (-1);
481 483 }
482 484
483 485 /*
484 486 * Format of argument64 token:
485 487 * argument token id adr_char
486 488 * argument number adr_char
487 489 * argument value adr_int64
488 490 * argument description adr_string
489 491 */
490 492 int
491 493 argument64_token(adr_t *adr)
492 494 {
493 495 char arg_num;
494 496 int64_t arg_val;
495 497
496 498 adrm_char(adr, &arg_num, 1);
497 499 adrm_int64(adr, &arg_val, 1);
498 500 skip_string(adr);
499 501
500 502 return (-1);
501 503 }
502 504
503 505 /*
504 506 * Format of acl token:
505 507 * acl token id adr_char
506 508 * acl type adr_u_int32
507 509 * acl value adr_u_int32 (depends on type)
508 510 * file mode adr_u_int (in octal)
509 511 */
510 512 int
511 513 acl_token(adr_t *adr)
512 514 {
513 515
514 516 int32_t id;
515 517 int32_t mode;
516 518 int32_t type;
517 519
518 520 adrm_int32(adr, &type, 1);
519 521 adrm_int32(adr, &id, 1);
520 522 adrm_int32(adr, &mode, 1);
521 523
522 524 return (-1);
523 525 }
524 526
525 527 /*
526 528 * Format of ace token:
527 529 * ace token id adr_char
528 530 * ace who adr_u_int32 (uid/gid)
529 531 * access mask adr_u_int32
530 532 * ace flags adr_u_int16
531 533 * ace type adr_u_int16
532 534 */
533 535 int
534 536 ace_token(adr_t *adr)
535 537 {
536 538 uid_t who;
537 539 uint32_t access_mask;
538 540 uint16_t flags, type;
539 541
540 542 adrm_uid(adr, &who, 1);
541 543 adrm_u_int32(adr, &access_mask, 1);
542 544 adrm_u_short(adr, &flags, 1);
543 545 adrm_u_short(adr, &type, 1);
544 546
545 547 return (-1);
546 548 }
547 549
548 550 /*
549 551 * Format of attribute token: (old pre SunOS 5.7 format)
550 552 * attribute token id adr_char
551 553 * mode adr_int32 (printed in octal)
552 554 * uid adr_int32
553 555 * gid adr_int32
554 556 * file system id adr_int32
555 557 * node id adr_int32
556 558 * device adr_int32
557 559 */
558 560 int
559 561 attribute_token(adr_t *adr)
560 562 {
561 563 int32_t dev;
562 564 int32_t file_sysid;
563 565 int32_t gid;
564 566 int32_t mode;
565 567 int32_t nodeid;
566 568 int32_t uid;
567 569
568 570 adrm_int32(adr, &mode, 1);
569 571 adrm_int32(adr, &uid, 1);
570 572 adrm_int32(adr, &gid, 1);
571 573 adrm_int32(adr, &file_sysid, 1);
572 574 adrm_int32(adr, &nodeid, 1);
573 575 adrm_int32(adr, &dev, 1);
574 576
575 577 if (!new_mode && (flags & M_USERE)) {
576 578 if (m_usere == uid)
577 579 checkflags |= M_USERE;
578 580 }
579 581 if (!new_mode && (flags & M_GROUPE)) {
580 582 if (m_groupe == gid)
581 583 checkflags |= M_GROUPE;
582 584 }
583 585
584 586 if (flags & M_OBJECT) {
585 587 if ((obj_flag & OBJ_FGROUP) &&
586 588 (obj_group == gid))
587 589 checkflags |= M_OBJECT;
588 590 else if ((obj_flag & OBJ_FOWNER) &&
589 591 (obj_owner == uid))
590 592 checkflags |= M_OBJECT;
591 593 }
592 594 return (-1);
593 595 }
594 596
595 597 /*
596 598 * Format of attribute32 token:
597 599 * attribute token id adr_char
598 600 * mode adr_int32 (printed in octal)
599 601 * uid adr_int32
600 602 * gid adr_int32
601 603 * file system id adr_int32
602 604 * node id adr_int64
603 605 * device adr_int32
604 606 */
605 607 int
606 608 attribute32_token(adr_t *adr)
607 609 {
608 610 int32_t dev;
609 611 int32_t file_sysid;
610 612 int32_t gid;
611 613 int32_t mode;
612 614 int64_t nodeid;
613 615 int32_t uid;
614 616
615 617 adrm_int32(adr, &mode, 1);
616 618 adrm_int32(adr, &uid, 1);
617 619 adrm_int32(adr, &gid, 1);
618 620 adrm_int32(adr, &file_sysid, 1);
619 621 adrm_int64(adr, &nodeid, 1);
620 622 adrm_int32(adr, &dev, 1);
621 623
622 624 if (!new_mode && (flags & M_USERE)) {
623 625 if (m_usere == uid)
624 626 checkflags |= M_USERE;
625 627 }
626 628 if (!new_mode && (flags & M_GROUPE)) {
627 629 if (m_groupe == gid)
628 630 checkflags |= M_GROUPE;
629 631 }
630 632
631 633 if (flags & M_OBJECT) {
632 634 if ((obj_flag & OBJ_FGROUP) &&
633 635 (obj_group == gid))
634 636 checkflags |= M_OBJECT;
635 637 else if ((obj_flag & OBJ_FOWNER) &&
636 638 (obj_owner == uid))
637 639 checkflags |= M_OBJECT;
638 640 }
639 641 return (-1);
640 642 }
641 643
642 644 /*
643 645 * Format of attribute64 token:
644 646 * attribute token id adr_char
645 647 * mode adr_int32 (printed in octal)
646 648 * uid adr_int32
647 649 * gid adr_int32
648 650 * file system id adr_int32
649 651 * node id adr_int64
650 652 * device adr_int64
651 653 */
652 654 int
653 655 attribute64_token(adr_t *adr)
654 656 {
655 657 int64_t dev;
656 658 int32_t file_sysid;
657 659 int32_t gid;
658 660 int32_t mode;
659 661 int64_t nodeid;
660 662 int32_t uid;
661 663
662 664 adrm_int32(adr, &mode, 1);
663 665 adrm_int32(adr, &uid, 1);
664 666 adrm_int32(adr, &gid, 1);
665 667 adrm_int32(adr, &file_sysid, 1);
666 668 adrm_int64(adr, &nodeid, 1);
667 669 adrm_int64(adr, &dev, 1);
668 670
669 671 if (!new_mode && (flags & M_USERE)) {
670 672 if (m_usere == uid)
671 673 checkflags |= M_USERE;
672 674 }
673 675 if (!new_mode && (flags & M_GROUPE)) {
674 676 if (m_groupe == gid)
675 677 checkflags |= M_GROUPE;
676 678 }
677 679
678 680 if (flags & M_OBJECT) {
679 681 if ((obj_flag & OBJ_FGROUP) &&
680 682 (obj_group == gid))
681 683 checkflags |= M_OBJECT;
682 684 else if ((obj_flag & OBJ_FOWNER) &&
683 685 (obj_owner == uid))
684 686 checkflags |= M_OBJECT;
685 687 }
686 688 return (-1);
687 689 }
688 690
689 691
690 692 /*
691 693 * Format of command token:
692 694 * attribute token id adr_char
693 695 * argc adr_short
694 696 * argv len adr_short variable amount of argv len
695 697 * argv text argv len and text
696 698 * .
697 699 * .
698 700 * .
699 701 * envp count adr_short variable amount of envp len
700 702 * envp len adr_short and text
701 703 * envp text envp len
702 704 * .
703 705 * .
704 706 * .
705 707 */
706 708 int
707 709 cmd_token(adr_t *adr)
708 710 {
709 711 short cnt;
710 712 short i;
711 713
712 714 adrm_short(adr, &cnt, 1);
713 715
714 716 for (i = 0; i < cnt; i++)
715 717 skip_string(adr);
716 718
717 719 adrm_short(adr, &cnt, 1);
718 720
719 721 for (i = 0; i < cnt; i++)
720 722 skip_string(adr);
721 723
722 724 return (-1);
723 725 }
724 726
725 727
726 728 /*
727 729 * Format of exit token:
728 730 * attribute token id adr_char
729 731 * return value adr_int32
730 732 * errno adr_int32
731 733 */
732 734 int
733 735 exit_token(adr_t *adr)
734 736 {
735 737 int32_t retval;
736 738 int32_t errno;
737 739
738 740 adrm_int32(adr, &retval, 1);
739 741 adrm_int32(adr, &errno, 1);
740 742 return (-1);
741 743 }
742 744
743 745 /*
744 746 * Format of strings array token:
745 747 * token id adr_char
746 748 * count value adr_int32
747 749 * strings null terminated strings
748 750 */
749 751 static int
750 752 strings_common_token(adr_t *adr)
751 753 {
752 754 int count, i;
753 755 char c;
754 756
755 757 adrm_int32(adr, (int32_t *)&count, 1);
756 758 for (i = 1; i <= count; i++) {
757 759 adrm_char(adr, &c, 1);
758 760 while (c != (char)0)
759 761 adrm_char(adr, &c, 1);
760 762 }
761 763 /* no dump option here, since we will have variable length fields */
762 764 return (-1);
763 765 }
764 766
765 767 int
766 768 path_attr_token(adr_t *adr)
767 769 {
768 770 return (strings_common_token(adr));
769 771 }
770 772
771 773 int
772 774 exec_args_token(adr_t *adr)
773 775 {
774 776 return (strings_common_token(adr));
775 777 }
776 778
777 779 int
778 780 exec_env_token(adr_t *adr)
779 781 {
780 782 return (strings_common_token(adr));
781 783 }
782 784
783 785 /*
784 786 * Format of liaison token:
785 787 */
786 788 int
787 789 liaison_token(adr_t *adr)
788 790 {
789 791 int32_t li;
790 792
791 793 adrm_int32(adr, &li, 1);
792 794 return (-1);
793 795 }
794 796
795 797
796 798 /*
797 799 * Format of path token:
798 800 * path adr_string
799 801 */
800 802 int
801 803 path_token(adr_t *adr)
802 804 {
803 805 if ((flags & M_OBJECT) && (obj_flag == OBJ_PATH)) {
804 806 char *path;
805 807
806 808 get_string(adr, &path);
807 809 if (path[0] != '/')
808 810 /*
809 811 * anchor the path. user apps may not do it.
810 812 */
811 813 anchor_path(path);
812 814 /*
813 815 * match against the collapsed path. that is what user sees.
814 816 */
815 817 if (re_exec2(collapse_path(path)) == 1)
816 818 checkflags |= M_OBJECT;
817 819 free(path);
818 820 } else {
819 821 skip_string(adr);
820 822 }
821 823 return (-1);
822 824 }
823 825
824 826
825 827 /*
826 828 * Format of System V IPC permission token:
827 829 * System V IPC permission token id adr_char
828 830 * uid adr_int32
829 831 * gid adr_int32
830 832 * cuid adr_int32
831 833 * cgid adr_int32
832 834 * mode adr_int32
833 835 * seq adr_int32
834 836 * key adr_int32
835 837 */
836 838 int
837 839 s5_IPC_perm_token(adr_t *adr)
838 840 {
839 841 int32_t uid, gid, cuid, cgid, mode, seq;
840 842 int32_t key;
841 843
842 844 adrm_int32(adr, &uid, 1);
843 845 adrm_int32(adr, &gid, 1);
844 846 adrm_int32(adr, &cuid, 1);
845 847 adrm_int32(adr, &cgid, 1);
846 848 adrm_int32(adr, &mode, 1);
847 849 adrm_int32(adr, &seq, 1);
848 850 adrm_int32(adr, &key, 1);
849 851
850 852 if (!new_mode && (flags & M_USERE)) {
851 853 if (m_usere == uid)
852 854 checkflags |= M_USERE;
853 855 }
854 856
855 857 if (!new_mode && (flags & M_USERE)) {
856 858 if (m_usere == cuid)
857 859 checkflags |= M_USERE;
858 860 }
859 861
860 862 if (!new_mode && (flags & M_GROUPR)) {
861 863 if (m_groupr == gid)
862 864 checkflags |= M_GROUPR;
863 865 }
864 866
865 867 if (!new_mode && (flags & M_GROUPR)) {
866 868 if (m_groupr == cgid)
867 869 checkflags |= M_GROUPR;
868 870 }
869 871
870 872 if ((flags & M_OBJECT) &&
871 873 ((obj_owner == uid) ||
872 874 (obj_owner == cuid) ||
873 875 (obj_group == gid) ||
874 876 (obj_group == cgid))) {
875 877
876 878 switch (obj_flag) {
877 879 case OBJ_MSGGROUP:
878 880 case OBJ_MSGOWNER:
879 881 if (ipc_type_match(OBJ_MSG, ipc_type))
880 882 checkflags |= M_OBJECT;
881 883 break;
882 884 case OBJ_SEMGROUP:
883 885 case OBJ_SEMOWNER:
884 886 if (ipc_type_match(OBJ_SEM, ipc_type))
885 887 checkflags |= M_OBJECT;
886 888 break;
887 889 case OBJ_SHMGROUP:
888 890 case OBJ_SHMOWNER:
889 891 if (ipc_type_match(OBJ_SHM, ipc_type))
890 892 checkflags |= M_OBJECT;
891 893 break;
892 894 }
893 895 }
894 896 return (-1);
895 897 }
896 898
897 899
898 900 /*
899 901 * Format of process32 token:
900 902 * process token id adr_char
901 903 * auid adr_int32
902 904 * euid adr_int32
903 905 * egid adr_int32
904 906 * ruid adr_int32
905 907 * rgid adr_int32
906 908 * pid adr_int32
907 909 * sid adr_int32
908 910 * termid adr_int32*2
909 911 */
910 912 int
911 913 process32_token(adr_t *adr)
912 914 {
913 915 int32_t auid, euid, egid, ruid, rgid, pid;
914 916 int32_t sid;
915 917 int32_t port, machine;
916 918
917 919 adrm_int32(adr, &auid, 1);
918 920 adrm_int32(adr, &euid, 1);
919 921 adrm_int32(adr, &egid, 1);
920 922 adrm_int32(adr, &ruid, 1);
921 923 adrm_int32(adr, &rgid, 1);
922 924 adrm_int32(adr, &pid, 1);
923 925 adrm_int32(adr, &sid, 1);
924 926 adrm_int32(adr, &port, 1);
925 927 adrm_int32(adr, &machine, 1);
926 928
927 929 if (!new_mode && (flags & M_USERA)) {
928 930 if (m_usera == auid)
929 931 checkflags |= M_USERA;
930 932 }
931 933 if (!new_mode && (flags & M_USERE)) {
932 934 if (m_usere == euid)
933 935 checkflags |= M_USERE;
934 936 }
935 937 if (!new_mode && (flags & M_USERR)) {
936 938 if (m_userr == ruid)
937 939 checkflags |= M_USERR;
938 940 }
939 941 if (!new_mode && (flags & M_GROUPR)) {
940 942 if (m_groupr == rgid)
941 943 checkflags |= M_GROUPR;
942 944 }
943 945 if (!new_mode && (flags & M_GROUPE)) {
944 946 if (m_groupe == egid)
945 947 checkflags |= M_GROUPE;
946 948 }
947 949
948 950 if (flags & M_OBJECT) {
949 951 if ((obj_flag & OBJ_PROC) &&
950 952 (obj_id == pid)) {
951 953 checkflags |= M_OBJECT;
952 954 } else if ((obj_flag & OBJ_PGROUP) &&
953 955 ((obj_group == egid) ||
954 956 (obj_group == rgid))) {
955 957 checkflags |= M_OBJECT;
956 958 } else if ((obj_flag & OBJ_POWNER) &&
957 959 ((obj_owner == euid) ||
958 960 (obj_group == ruid))) {
959 961 checkflags |= M_OBJECT;
960 962 }
961 963 }
962 964 return (-1);
963 965 }
964 966
965 967 /*
966 968 * Format of process32_ex token:
967 969 * process token id adr_char
968 970 * auid adr_int32
969 971 * euid adr_int32
970 972 * egid adr_int32
971 973 * ruid adr_int32
972 974 * rgid adr_int32
973 975 * pid adr_int32
974 976 * sid adr_int32
975 977 * termid
976 978 * port adr_int32
977 979 * type adr_int32
978 980 * ip address adr_u_char*type
979 981 */
980 982 int
981 983 process32_ex_token(adr_t *adr)
982 984 {
983 985 int32_t auid, euid, egid, ruid, rgid, pid;
984 986 int32_t sid;
985 987 int32_t port, type;
986 988 uchar_t addr[16];
987 989
988 990 adrm_int32(adr, &auid, 1);
989 991 adrm_int32(adr, &euid, 1);
990 992 adrm_int32(adr, &egid, 1);
991 993 adrm_int32(adr, &ruid, 1);
992 994 adrm_int32(adr, &rgid, 1);
993 995 adrm_int32(adr, &pid, 1);
994 996 adrm_int32(adr, &sid, 1);
995 997 adrm_int32(adr, &port, 1);
996 998 adrm_int32(adr, &type, 1);
997 999 adrm_u_char(adr, addr, type);
998 1000
999 1001 if (!new_mode && (flags & M_USERA)) {
1000 1002 if (m_usera == auid)
1001 1003 checkflags = checkflags | M_USERA;
1002 1004 }
1003 1005 if (!new_mode && (flags & M_USERE)) {
1004 1006 if (m_usere == euid)
1005 1007 checkflags = checkflags | M_USERE;
1006 1008 }
1007 1009 if (!new_mode && (flags & M_USERR)) {
1008 1010 if (m_userr == ruid)
1009 1011 checkflags = checkflags | M_USERR;
1010 1012 }
1011 1013 if (!new_mode && (flags & M_GROUPR)) {
1012 1014 if (m_groupr == egid)
1013 1015 checkflags = checkflags | M_GROUPR;
1014 1016 }
1015 1017 if (!new_mode && (flags & M_GROUPE)) {
1016 1018 if (m_groupe == egid)
1017 1019 checkflags = checkflags | M_GROUPE;
1018 1020 }
1019 1021
1020 1022 if (flags & M_OBJECT) {
1021 1023 if ((obj_flag & OBJ_PROC) &&
1022 1024 (obj_id == pid)) {
1023 1025 checkflags = checkflags | M_OBJECT;
1024 1026 } else if ((obj_flag & OBJ_PGROUP) &&
1025 1027 ((obj_group == egid) ||
1026 1028 (obj_group == rgid))) {
1027 1029 checkflags = checkflags | M_OBJECT;
1028 1030 } else if ((obj_flag & OBJ_POWNER) &&
1029 1031 ((obj_owner == euid) ||
1030 1032 (obj_group == ruid))) {
1031 1033 checkflags = checkflags | M_OBJECT;
1032 1034 }
1033 1035 }
1034 1036 return (-1);
1035 1037 }
1036 1038
1037 1039 /*
1038 1040 * Format of process64 token:
1039 1041 * process token id adr_char
1040 1042 * auid adr_int32
1041 1043 * euid adr_int32
1042 1044 * egid adr_int32
1043 1045 * ruid adr_int32
1044 1046 * rgid adr_int32
1045 1047 * pid adr_int32
1046 1048 * sid adr_int32
1047 1049 * termid adr_int64+adr_int32
1048 1050 */
1049 1051 int
1050 1052 process64_token(adr_t *adr)
1051 1053 {
1052 1054 int32_t auid, euid, egid, ruid, rgid, pid;
1053 1055 int32_t sid;
1054 1056 int64_t port;
1055 1057 int32_t machine;
1056 1058
1057 1059 adrm_int32(adr, &auid, 1);
1058 1060 adrm_int32(adr, &euid, 1);
1059 1061 adrm_int32(adr, &egid, 1);
1060 1062 adrm_int32(adr, &ruid, 1);
1061 1063 adrm_int32(adr, &rgid, 1);
1062 1064 adrm_int32(adr, &pid, 1);
1063 1065 adrm_int32(adr, &sid, 1);
1064 1066 adrm_int64(adr, &port, 1);
1065 1067 adrm_int32(adr, &machine, 1);
1066 1068
1067 1069 if (!new_mode && (flags & M_USERA)) {
1068 1070 if (m_usera == auid)
1069 1071 checkflags |= M_USERA;
1070 1072 }
1071 1073 if (!new_mode && (flags & M_USERE)) {
1072 1074 if (m_usere == euid)
1073 1075 checkflags |= M_USERE;
1074 1076 }
1075 1077 if (!new_mode && (flags & M_USERR)) {
1076 1078 if (m_userr == ruid)
1077 1079 checkflags |= M_USERR;
1078 1080 }
1079 1081 if (!new_mode && (flags & M_GROUPR)) {
1080 1082 if (m_groupr == rgid)
1081 1083 checkflags |= M_GROUPR;
1082 1084 }
1083 1085 if (!new_mode && (flags & M_GROUPE)) {
1084 1086 if (m_groupe == egid)
1085 1087 checkflags |= M_GROUPE;
1086 1088 }
1087 1089
1088 1090 if (flags & M_OBJECT) {
1089 1091 if ((obj_flag & OBJ_PROC) &&
1090 1092 (obj_id == pid)) {
1091 1093 checkflags |= M_OBJECT;
1092 1094 } else if ((obj_flag & OBJ_PGROUP) &&
1093 1095 ((obj_group == egid) ||
1094 1096 (obj_group == rgid))) {
1095 1097 checkflags |= M_OBJECT;
1096 1098 } else if ((obj_flag & OBJ_POWNER) &&
1097 1099 ((obj_owner == euid) ||
1098 1100 (obj_group == ruid))) {
1099 1101 checkflags |= M_OBJECT;
1100 1102 }
1101 1103 }
1102 1104 return (-1);
1103 1105 }
1104 1106
1105 1107 /*
1106 1108 * Format of process64_ex token:
1107 1109 * process token id adr_char
1108 1110 * auid adr_int32
1109 1111 * euid adr_int32
1110 1112 * egid adr_int32
1111 1113 * ruid adr_int32
1112 1114 * rgid adr_int32
1113 1115 * pid adr_int32
1114 1116 * sid adr_int32
1115 1117 * termid
1116 1118 * port adr_int64
1117 1119 * type adr_int32
1118 1120 * ip address adr_u_char*type
1119 1121 */
1120 1122 int
1121 1123 process64_ex_token(adr_t *adr)
1122 1124 {
1123 1125 int32_t auid, euid, egid, ruid, rgid, pid;
1124 1126 int32_t sid;
1125 1127 int64_t port;
1126 1128 int32_t type;
1127 1129 uchar_t addr[16];
1128 1130
1129 1131 adrm_int32(adr, &auid, 1);
1130 1132 adrm_int32(adr, &euid, 1);
1131 1133 adrm_int32(adr, &egid, 1);
1132 1134 adrm_int32(adr, &ruid, 1);
1133 1135 adrm_int32(adr, &rgid, 1);
1134 1136 adrm_int32(adr, &pid, 1);
1135 1137 adrm_int32(adr, &sid, 1);
1136 1138 adrm_int64(adr, &port, 1);
1137 1139 adrm_int32(adr, &type, 1);
1138 1140 adrm_u_char(adr, addr, type);
1139 1141
1140 1142 if (!new_mode && (flags & M_USERA)) {
1141 1143 if (m_usera == auid)
1142 1144 checkflags = checkflags | M_USERA;
1143 1145 }
1144 1146 if (!new_mode && (flags & M_USERE)) {
1145 1147 if (m_usere == euid)
1146 1148 checkflags = checkflags | M_USERE;
1147 1149 }
1148 1150 if (!new_mode && (flags & M_USERR)) {
1149 1151 if (m_userr == ruid)
1150 1152 checkflags = checkflags | M_USERR;
1151 1153 }
1152 1154 if (!new_mode && (flags & M_GROUPR)) {
1153 1155 if (m_groupr == egid)
1154 1156 checkflags = checkflags | M_GROUPR;
1155 1157 }
1156 1158 if (!new_mode && (flags & M_GROUPE)) {
1157 1159 if (m_groupe == egid)
1158 1160 checkflags = checkflags | M_GROUPE;
1159 1161 }
1160 1162
1161 1163 if (flags & M_OBJECT) {
1162 1164 if ((obj_flag & OBJ_PROC) &&
1163 1165 (obj_id == pid)) {
1164 1166 checkflags = checkflags | M_OBJECT;
1165 1167 } else if ((obj_flag & OBJ_PGROUP) &&
1166 1168 ((obj_group == egid) ||
1167 1169 (obj_group == rgid))) {
1168 1170 checkflags = checkflags | M_OBJECT;
1169 1171 } else if ((obj_flag & OBJ_POWNER) &&
1170 1172 ((obj_owner == euid) ||
1171 1173 (obj_group == ruid))) {
1172 1174 checkflags = checkflags | M_OBJECT;
1173 1175 }
1174 1176 }
1175 1177 return (-1);
1176 1178 }
1177 1179
1178 1180 /*
1179 1181 * Format of System V IPC token:
1180 1182 * System V IPC token id adr_char
1181 1183 * object id adr_int32
1182 1184 */
1183 1185 int
1184 1186 s5_IPC_token(adr_t *adr)
1185 1187 {
1186 1188 int32_t ipc_id;
1187 1189
1188 1190 adrm_char(adr, &ipc_type, 1); /* Global */
1189 1191 adrm_int32(adr, &ipc_id, 1);
1190 1192
1191 1193 if ((flags & M_OBJECT) &&
1192 1194 ipc_type_match(obj_flag, ipc_type) &&
1193 1195 (obj_id == ipc_id))
1194 1196 checkflags |= M_OBJECT;
1195 1197
1196 1198 return (-1);
1197 1199 }
1198 1200
1199 1201
1200 1202 /*
1201 1203 * Format of socket token:
1202 1204 * socket_type adrm_short
1203 1205 * remote_port adrm_short
1204 1206 * remote_inaddr adrm_int32
1205 1207 */
1206 1208 int
1207 1209 socket_token(adr_t *adr)
1208 1210 {
1209 1211 short socket_type;
1210 1212 short remote_port;
1211 1213 int32_t remote_inaddr;
1212 1214
1213 1215 adrm_short(adr, &socket_type, 1);
1214 1216 adrm_short(adr, &remote_port, 1);
1215 1217 adrm_char(adr, (char *)&remote_inaddr, 4);
1216 1218
1217 1219 if ((flags & M_OBJECT) && (obj_flag == OBJ_SOCK)) {
1218 1220 if (socket_flag == SOCKFLG_MACHINE) {
1219 1221 if (remote_inaddr == obj_id)
1220 1222 checkflags |= M_OBJECT;
1221 1223 } else if (socket_flag == SOCKFLG_PORT) {
1222 1224 if (remote_port == obj_id)
1223 1225 checkflags |= M_OBJECT;
1224 1226 }
1225 1227 }
1226 1228 return (-1);
1227 1229 }
1228 1230
1229 1231
1230 1232 /*
1231 1233 * Format of socket_ex token:
1232 1234 * socket_domain adrm_short
1233 1235 * socket_type adrm_short
1234 1236 * address_type adrm_short
1235 1237 * local_port adrm_short
1236 1238 * local_inaddr adrm_u_char*address_type
1237 1239 * remote_port adrm_short
1238 1240 * remote_inaddr adrm_u_char*address_type
1239 1241 */
1240 1242 int
1241 1243 socket_ex_token(adr_t *adr)
1242 1244 {
1243 1245 short socket_domain;
1244 1246 short socket_type;
1245 1247 short ip_size;
1246 1248 short local_port;
1247 1249 uchar_t local_inaddr[16];
1248 1250 short remote_port;
1249 1251 uchar_t remote_inaddr[16];
1250 1252 uchar_t *caddr = (uchar_t *)&obj_id;
1251 1253
1252 1254 adrm_short(adr, &socket_domain, 1);
1253 1255 adrm_short(adr, &socket_type, 1);
1254 1256 adrm_short(adr, &ip_size, 1);
1255 1257
1256 1258 /* validate ip size */
1257 1259 if ((ip_size != AU_IPv6) && (ip_size != AU_IPv4))
1258 1260 return (0);
1259 1261
1260 1262 adrm_short(adr, &local_port, 1);
1261 1263 adrm_char(adr, (char *)local_inaddr, ip_size);
1262 1264
1263 1265 adrm_short(adr, &remote_port, 1);
1264 1266 adrm_char(adr, (char *)remote_inaddr, ip_size);
1265 1267
1266 1268 /* if IP type mis-match, then nothing to do */
1267 1269 if (ip_size != ip_type)
1268 1270 return (-1);
1269 1271
1270 1272 if ((flags & M_OBJECT) && (obj_flag == OBJ_SOCK)) {
1271 1273 if (socket_flag == SOCKFLG_MACHINE) {
1272 1274 if (ip_type == AU_IPv6) {
1273 1275 caddr = (uchar_t *)ip_ipv6;
1274 1276 }
1275 1277 if ((memcmp(local_inaddr, caddr, ip_type) == 0) ||
1276 1278 (memcmp(remote_inaddr, caddr, ip_type) == 0)) {
1277 1279 checkflags |= M_OBJECT;
1278 1280 }
1279 1281 } else if (socket_flag == SOCKFLG_PORT) {
1280 1282 if ((local_port == obj_id) || (remote_port == obj_id)) {
1281 1283 checkflags |= M_OBJECT;
1282 1284 }
1283 1285 }
1284 1286 }
1285 1287 return (-1);
1286 1288 }
1287 1289
1288 1290
1289 1291 /*
1290 1292 * Format of subject32 token:
1291 1293 * subject token id adr_char
1292 1294 * auid adr_int32
1293 1295 * euid adr_int32
1294 1296 * egid adr_int32
1295 1297 * ruid adr_int32
1296 1298 * rgid adr_int32
1297 1299 * pid adr_int32
1298 1300 * sid adr_int32
1299 1301 * termid adr_int32*2
1300 1302 */
1301 1303 int
1302 1304 subject32_token(adr_t *adr)
1303 1305 {
1304 1306 int32_t auid, euid, egid, ruid, rgid, pid;
1305 1307 int32_t sid;
1306 1308 int32_t port, machine;
1307 1309
1308 1310 adrm_int32(adr, &auid, 1);
1309 1311 adrm_int32(adr, &euid, 1);
1310 1312 adrm_int32(adr, &egid, 1);
1311 1313 adrm_int32(adr, &ruid, 1);
1312 1314 adrm_int32(adr, &rgid, 1);
1313 1315 adrm_int32(adr, &pid, 1);
1314 1316 adrm_int32(adr, &sid, 1);
1315 1317 adrm_int32(adr, &port, 1);
1316 1318 adrm_int32(adr, &machine, 1);
1317 1319
1318 1320 if (flags & M_SUBJECT) {
1319 1321 if (subj_id == pid)
1320 1322 checkflags |= M_SUBJECT;
1321 1323 }
1322 1324 if (flags & M_USERA) {
1323 1325 if (m_usera == auid)
1324 1326 checkflags |= M_USERA;
1325 1327 }
1326 1328 if (flags & M_USERE) {
1327 1329 if (m_usere == euid)
1328 1330 checkflags |= M_USERE;
1329 1331 }
1330 1332 if (flags & M_USERR) {
1331 1333 if (m_userr == ruid)
1332 1334 checkflags |= M_USERR;
1333 1335 }
1334 1336 if (flags & M_GROUPR) {
1335 1337 if (m_groupr == rgid)
1336 1338 checkflags |= M_GROUPR;
1337 1339 }
1338 1340 if (flags & M_GROUPE) {
1339 1341 if (m_groupe == egid)
1340 1342 checkflags |= M_GROUPE;
1341 1343 }
1342 1344 if (flags & M_SID) {
1343 1345 if (m_sid == (au_asid_t)sid)
1344 1346 checkflags |= M_SID;
1345 1347 }
1346 1348 return (-1);
1347 1349 }
1348 1350
1349 1351 /*
1350 1352 * Format of subject32_ex token:
1351 1353 * subject token id adr_char
1352 1354 * auid adr_int32
1353 1355 * euid adr_int32
1354 1356 * egid adr_int32
1355 1357 * ruid adr_int32
1356 1358 * rgid adr_int32
1357 1359 * pid adr_int32
1358 1360 * sid adr_int32
1359 1361 * termid
1360 1362 * port adr_int32
1361 1363 * type adr_int32
1362 1364 * ip address adr_u_char*type
1363 1365 */
1364 1366 int
1365 1367 subject32_ex_token(adr_t *adr)
1366 1368 {
1367 1369 int32_t auid, euid, egid, ruid, rgid, pid;
1368 1370 int32_t sid;
1369 1371 int32_t port, type;
1370 1372 uchar_t addr[16];
1371 1373
1372 1374 adrm_int32(adr, &auid, 1);
1373 1375 adrm_int32(adr, &euid, 1);
1374 1376 adrm_int32(adr, &egid, 1);
1375 1377 adrm_int32(adr, &ruid, 1);
1376 1378 adrm_int32(adr, &rgid, 1);
1377 1379 adrm_int32(adr, &pid, 1);
1378 1380 adrm_int32(adr, &sid, 1);
1379 1381 adrm_int32(adr, &port, 1);
1380 1382 adrm_int32(adr, &type, 1);
1381 1383 adrm_u_char(adr, addr, type);
1382 1384
1383 1385 if (flags & M_SUBJECT) {
1384 1386 if (subj_id == pid)
1385 1387 checkflags = checkflags | M_SUBJECT;
1386 1388 }
1387 1389 if (flags & M_USERA) {
1388 1390 if (m_usera == auid)
1389 1391 checkflags = checkflags | M_USERA;
1390 1392 }
1391 1393 if (flags & M_USERE) {
1392 1394 if (m_usere == euid)
1393 1395 checkflags = checkflags | M_USERE;
1394 1396 }
1395 1397 if (flags & M_USERR) {
1396 1398 if (m_userr == ruid)
1397 1399 checkflags = checkflags | M_USERR;
1398 1400 }
1399 1401 if (flags & M_GROUPR) {
1400 1402 if (m_groupr == egid)
1401 1403 checkflags = checkflags | M_GROUPR;
1402 1404 }
1403 1405 if (flags & M_GROUPE) {
1404 1406 if (m_groupe == egid)
1405 1407 checkflags = checkflags | M_GROUPE;
1406 1408 }
1407 1409 if (flags & M_SID) {
1408 1410 if (m_sid == (au_asid_t)sid)
1409 1411 checkflags = checkflags | M_SID;
1410 1412 }
1411 1413 return (-1);
1412 1414 }
1413 1415
1414 1416 /*
1415 1417 * Format of subject64 token:
1416 1418 * subject token id adr_char
1417 1419 * auid adr_int32
1418 1420 * euid adr_int32
1419 1421 * egid adr_int32
1420 1422 * ruid adr_int32
1421 1423 * rgid adr_int32
1422 1424 * pid adr_int32
1423 1425 * sid adr_int32
1424 1426 * termid adr_int64+adr_int32
1425 1427 */
1426 1428 int
1427 1429 subject64_token(adr_t *adr)
1428 1430 {
1429 1431 int32_t auid, euid, egid, ruid, rgid, pid;
1430 1432 int32_t sid;
1431 1433 int64_t port;
1432 1434 int32_t machine;
1433 1435
1434 1436 adrm_int32(adr, &auid, 1);
1435 1437 adrm_int32(adr, &euid, 1);
1436 1438 adrm_int32(adr, &egid, 1);
1437 1439 adrm_int32(adr, &ruid, 1);
1438 1440 adrm_int32(adr, &rgid, 1);
1439 1441 adrm_int32(adr, &pid, 1);
1440 1442 adrm_int32(adr, &sid, 1);
1441 1443 adrm_int64(adr, &port, 1);
1442 1444 adrm_int32(adr, &machine, 1);
1443 1445
1444 1446 if (flags & M_SUBJECT) {
1445 1447 if (subj_id == pid)
1446 1448 checkflags |= M_SUBJECT;
1447 1449 }
1448 1450 if (flags & M_USERA) {
1449 1451 if (m_usera == auid)
1450 1452 checkflags |= M_USERA;
1451 1453 }
1452 1454 if (flags & M_USERE) {
1453 1455 if (m_usere == euid)
1454 1456 checkflags |= M_USERE;
1455 1457 }
1456 1458 if (flags & M_USERR) {
1457 1459 if (m_userr == ruid)
1458 1460 checkflags |= M_USERR;
1459 1461 }
1460 1462 if (flags & M_GROUPR) {
1461 1463 if (m_groupr == rgid)
1462 1464 checkflags |= M_GROUPR;
1463 1465 }
1464 1466 if (flags & M_GROUPE) {
1465 1467 if (m_groupe == egid)
1466 1468 checkflags |= M_GROUPE;
1467 1469 }
1468 1470 if (flags & M_SID) {
1469 1471 if (m_sid == (au_asid_t)sid)
1470 1472 checkflags |= M_SID;
1471 1473 }
1472 1474 return (-1);
1473 1475 }
1474 1476
1475 1477 /*
1476 1478 * Format of subject64_ex token:
1477 1479 * subject token id adr_char
1478 1480 * auid adr_int32
1479 1481 * euid adr_int32
1480 1482 * egid adr_int32
1481 1483 * ruid adr_int32
1482 1484 * rgid adr_int32
1483 1485 * pid adr_int32
1484 1486 * sid adr_int32
1485 1487 * termid
1486 1488 * port adr_int64
1487 1489 * type adr_int32
1488 1490 * ip address adr_u_char*type
1489 1491 */
1490 1492 int
1491 1493 subject64_ex_token(adr_t *adr)
1492 1494 {
1493 1495 int32_t auid, euid, egid, ruid, rgid, pid;
1494 1496 int32_t sid;
1495 1497 int64_t port;
1496 1498 int32_t type;
1497 1499 uchar_t addr[16];
1498 1500
1499 1501 adrm_int32(adr, &auid, 1);
1500 1502 adrm_int32(adr, &euid, 1);
1501 1503 adrm_int32(adr, &egid, 1);
1502 1504 adrm_int32(adr, &ruid, 1);
1503 1505 adrm_int32(adr, &rgid, 1);
1504 1506 adrm_int32(adr, &pid, 1);
1505 1507 adrm_int32(adr, &sid, 1);
1506 1508 adrm_int64(adr, &port, 1);
1507 1509 adrm_int32(adr, &type, 1);
1508 1510 adrm_u_char(adr, addr, type);
1509 1511
1510 1512 if (flags & M_SUBJECT) {
1511 1513 if (subj_id == pid)
1512 1514 checkflags = checkflags | M_SUBJECT;
1513 1515 }
1514 1516 if (flags & M_USERA) {
1515 1517 if (m_usera == auid)
1516 1518 checkflags = checkflags | M_USERA;
1517 1519 }
1518 1520 if (flags & M_USERE) {
1519 1521 if (m_usere == euid)
1520 1522 checkflags = checkflags | M_USERE;
1521 1523 }
1522 1524 if (flags & M_USERR) {
1523 1525 if (m_userr == ruid)
1524 1526 checkflags = checkflags | M_USERR;
1525 1527 }
1526 1528 if (flags & M_GROUPR) {
1527 1529 if (m_groupr == egid)
1528 1530 checkflags = checkflags | M_GROUPR;
1529 1531 }
1530 1532 if (flags & M_GROUPE) {
1531 1533 if (m_groupe == egid)
1532 1534 checkflags = checkflags | M_GROUPE;
1533 1535 }
1534 1536 if (flags & M_SID) {
1535 1537 if (m_sid == (au_asid_t)sid)
1536 1538 checkflags = checkflags | M_SID;
1537 1539 }
1538 1540 return (-1);
1539 1541 }
1540 1542
1541 1543 /*
1542 1544 * -----------------------------------------------------------------------
1543 1545 * tid_token(): Process tid token and display contents
1544 1546 *
1545 1547 * Format of tid token:
1546 1548 * tid token id adr_char
1547 1549 * address type adr_char
1548 1550 * For address type of AU_IPADR...
1549 1551 * remote port adr_short
1550 1552 * local port adr_short
1551 1553 * IP type adr_int32
1552 1554 * IP addr adr_int32 if IPv4
1553 1555 * IP addr 4 x adr_int32 if IPv6
1554 1556 * address types other than AU_IPADR are not yet defined
1555 1557 * -----------------------------------------------------------------------
1556 1558 */
1557 1559 int
1558 1560 tid_token(adr_t *adr)
1559 1561 {
1560 1562 int32_t address[4];
1561 1563 int32_t ip_type;
1562 1564 char tid_type;
1563 1565 short rport;
1564 1566 short lport;
1565 1567
1566 1568 adrm_char(adr, &tid_type, 1);
1567 1569 switch (tid_type) {
1568 1570 case AU_IPADR:
1569 1571 adrm_short(adr, &rport, 1);
1570 1572 adrm_short(adr, &lport, 1);
1571 1573 adrm_int32(adr, &ip_type, 1);
1572 1574 adrm_char(adr, (char *)&address, ip_type);
1573 1575 break;
1574 1576 default:
1575 1577 return (0);
1576 1578 }
1577 1579 return (-1);
1578 1580 }
1579 1581
1580 1582 /*
1581 1583 * -----------------------------------------------------------------------
1582 1584 * zonename_token(): Process zonename token and display contents
1583 1585 *
1584 1586 * Format of zonename token:
1585 1587 * zonename token id adr_char
1586 1588 * zone name adr_string
1587 1589 * -----------------------------------------------------------------------
1588 1590 */
1589 1591 int
1590 1592 zonename_token(adr_t *adr)
1591 1593 {
1592 1594 char *name;
1593 1595
1594 1596 if (flags & M_ZONENAME) {
1595 1597 get_string(adr, &name);
1596 1598 if (strncmp(zonename, name, ZONENAME_MAX) == 0)
1597 1599 checkflags |= M_ZONENAME;
1598 1600 free(name);
1599 1601 } else {
1600 1602 skip_string(adr);
1601 1603 }
1602 1604 return (-1);
1603 1605 }
1604 1606
1605 1607 /*
1606 1608 * fmri_token():
1607 1609 *
1608 1610 * Format of fmri token:
1609 1611 * fmri adr_string
1610 1612 */
1611 1613 int
1612 1614 fmri_token(adr_t *adr)
1613 1615 {
1614 1616 if ((flags & M_OBJECT) && (obj_flag == OBJ_FMRI)) {
1615 1617 char *fmri_name;
1616 1618
1617 1619 get_string(adr, &fmri_name);
1618 1620
1619 1621 /* match token against service instance */
1620 1622 if (scf_cmp_pattern(fmri_name, &fmri) == 1) {
1621 1623 checkflags |= M_OBJECT;
1622 1624 }
1623 1625 free(fmri_name);
1624 1626 } else {
1625 1627 skip_string(adr);
1626 1628 }
1627 1629 return (-1);
1628 1630 }
1629 1631
1630 1632 /*
1631 1633 * Format of xatom token:
1632 1634 */
1633 1635 int
1634 1636 xatom_token(adr_t *adr)
1635 1637 {
1636 1638 skip_string(adr);
1637 1639
1638 1640 return (-1);
1639 1641 }
1640 1642
1641 1643 /*
1642 1644 * Format of xselect token:
1643 1645 */
1644 1646 int
1645 1647 xselect_token(adr_t *adr)
1646 1648 {
1647 1649 skip_string(adr);
1648 1650 skip_string(adr);
1649 1651 skip_string(adr);
1650 1652
1651 1653 return (-1);
1652 1654 }
1653 1655
1654 1656 /*
1655 1657 * anchor a path name with a slash
1656 1658 * assume we have enough space
1657 1659 */
1658 1660 void
1659 1661 anchor_path(char *path)
1660 1662 {
1661 1663 (void) memmove((void *)(path + 1), (void *)path, strlen(path) + 1);
1662 1664 *path = '/';
1663 1665 }
1664 1666
1665 1667
1666 1668 /*
1667 1669 * copy path to collapsed path.
1668 1670 * collapsed path does not contain:
1669 1671 * successive slashes
1670 1672 * instances of dot-slash
1671 1673 * instances of dot-dot-slash
1672 1674 * passed path must be anchored with a '/'
1673 1675 */
1674 1676 char *
1675 1677 collapse_path(char *s)
1676 1678 {
1677 1679 int id; /* index of where we are in destination string */
1678 1680 int is; /* index of where we are in source string */
1679 1681 int slashseen; /* have we seen a slash */
1680 1682 int ls; /* length of source string */
1681 1683
1682 1684 ls = strlen(s) + 1;
1683 1685
1684 1686 slashseen = 0;
1685 1687 for (is = 0, id = 0; is < ls; is++) {
1686 1688 /* thats all folks, we've reached the end of input */
1687 1689 if (s[is] == '\0') {
1688 1690 if (id > 1 && s[id-1] == '/') {
1689 1691 --id;
1690 1692 }
1691 1693 s[id++] = '\0';
1692 1694 break;
1693 1695 }
1694 1696 /* previous character was a / */
1695 1697 if (slashseen) {
1696 1698 if (s[is] == '/')
1697 1699 continue; /* another slash, ignore it */
1698 1700 } else if (s[is] == '/') {
1699 1701 /* we see a /, just copy it and try again */
1700 1702 slashseen = 1;
1701 1703 s[id++] = '/';
1702 1704 continue;
1703 1705 }
1704 1706 /* /./ seen */
1705 1707 if (s[is] == '.' && s[is+1] == '/') {
1706 1708 is += 1;
1707 1709 continue;
1708 1710 }
1709 1711 /* XXX/. seen */
1710 1712 if (s[is] == '.' && s[is+1] == '\0') {
1711 1713 if (id > 1)
1712 1714 id--;
1713 1715 continue;
1714 1716 }
1715 1717 /* XXX/.. seen */
1716 1718 if (s[is] == '.' && s[is+1] == '.' && s[is+2] == '\0') {
1717 1719 is += 1;
1718 1720 if (id > 0)
1719 1721 id--;
1720 1722 while (id > 0 && s[--id] != '/')
1721 1723 ;
1722 1724 id++;
1723 1725 continue;
1724 1726 }
1725 1727 /* XXX/../ seen */
1726 1728 if (s[is] == '.' && s[is+1] == '.' && s[is+2] == '/') {
1727 1729 is += 2;
1728 1730 if (id > 0)
1729 1731 id--;
1730 1732 while (id > 0 && s[--id] != '/')
1731 1733 ;
1732 1734 id++;
1733 1735 continue;
1734 1736 }
1735 1737 while (is < ls && (s[id++] = s[is++]) != '/')
1736 1738 ;
1737 1739 is--;
1738 1740 }
1739 1741 return (s);
1740 1742 }
1741 1743
1742 1744
1743 1745 int
1744 1746 ipc_type_match(int flag, char type)
1745 1747 {
1746 1748 if (flag == OBJ_SEM && type == AT_IPC_SEM)
1747 1749 return (1);
1748 1750
1749 1751 if (flag == OBJ_MSG && type == AT_IPC_MSG)
1750 1752 return (1);
1751 1753
1752 1754 if (flag == OBJ_SHM && type == AT_IPC_SHM)
1753 1755 return (1);
1754 1756
1755 1757 return (0);
1756 1758 }
1757 1759
1758 1760
1759 1761 void
1760 1762 skip_string(adr_t *adr)
1761 1763 {
1762 1764 ushort_t c;
1763 1765
1764 1766 adrm_u_short(adr, &c, 1);
1765 1767 adr->adr_now += c;
1766 1768 }
1767 1769
1768 1770
1769 1771 void
1770 1772 get_string(adr_t *adr, char **p)
1771 1773 {
1772 1774 ushort_t c;
1773 1775
1774 1776 adrm_u_short(adr, &c, 1);
1775 1777 *p = a_calloc(1, (size_t)c);
1776 1778 adrm_char(adr, *p, c);
1777 1779 }
1778 1780
1779 1781
1780 1782 /*
1781 1783 * Format of host token:
1782 1784 * host ard_uint32
1783 1785 */
1784 1786 int
1785 1787 host_token(adr_t *adr)
1786 1788 {
1787 1789 uint32_t host;
1788 1790
1789 1791 adrm_u_int32(adr, &host, 1);
1790 1792
1791 1793 return (-1);
1792 1794 }
1793 1795
1794 1796 /*
1795 1797 * Format of useofauth token:
1796 1798 * uauth token id adr_char
1797 1799 * uauth adr_string
1798 1800 */
1799 1801 int
1800 1802 useofauth_token(adr_t *adr)
1801 1803 {
1802 1804 skip_string(adr);
1803 1805 return (-1);
1804 1806 }
1805 1807
1806 1808 /*
1807 1809 * Format of user token:
1808 1810 * user token id adr_char
1809 1811 * uid adr_uid
1810 1812 * username adr_string
1811 1813 */
1812 1814 int
1813 1815 user_token(adr_t *adr)
1814 1816 {
1815 1817 uid_t uid;
1816 1818
1817 1819 adrm_uid(adr, &uid, 1);
1818 1820 skip_string(adr);
1819 1821
1820 1822 if ((flags & M_OBJECT) && (obj_flag == OBJ_USER) &&
1821 1823 (uid == obj_user)) {
1822 1824 checkflags |= M_OBJECT;
1823 1825 }
1824 1826
1825 1827 return (-1);
1826 1828 }
1827 1829
1828 1830 int
1829 1831 xcolormap_token(adr_t *adr)
1830 1832 {
1831 1833 return (xgeneric(adr));
1832 1834 }
1833 1835
1834 1836 int
1835 1837 xcursor_token(adr_t *adr)
1836 1838 {
1837 1839 return (xgeneric(adr));
1838 1840 }
1839 1841
1840 1842 int
1841 1843 xfont_token(adr_t *adr)
1842 1844 {
1843 1845 return (xgeneric(adr));
1844 1846 }
1845 1847
1846 1848 int
1847 1849 xgc_token(adr_t *adr)
1848 1850 {
1849 1851 return (xgeneric(adr));
1850 1852 }
1851 1853
1852 1854 int
1853 1855 xpixmap_token(adr_t *adr)
1854 1856 {
1855 1857 return (xgeneric(adr));
1856 1858 }
1857 1859
1858 1860 int
1859 1861 xwindow_token(adr_t *adr)
1860 1862 {
1861 1863 return (xgeneric(adr));
1862 1864 }
1863 1865
1864 1866
1865 1867 /*
1866 1868 * Format of xgeneric token:
1867 1869 * XID adr_int32
1868 1870 * creator UID adr_int32
1869 1871 *
1870 1872 * Includes: xcolormap, xcursor, xfont, xgc, xpixmap, and xwindow
1871 1873 */
1872 1874 int
1873 1875 xgeneric(adr_t *adr)
1874 1876 {
1875 1877 int32_t xid;
1876 1878 int32_t uid;
1877 1879
1878 1880 adrm_int32(adr, &xid, 1);
1879 1881 adrm_int32(adr, &uid, 1);
1880 1882
1881 1883 if (flags & M_USERE) {
1882 1884 if (m_usere == uid)
1883 1885 checkflags = checkflags | M_USERE;
1884 1886 }
1885 1887
1886 1888 return (-1);
1887 1889 }
1888 1890
1889 1891
1890 1892 /*
1891 1893 * Format of xproperty token:
1892 1894 * XID adr_int32
1893 1895 * creator UID adr_int32
1894 1896 * atom string adr_string
1895 1897 */
1896 1898 int
1897 1899 xproperty_token(adr_t *adr)
1898 1900 {
1899 1901 int32_t xid;
1900 1902 int32_t uid;
1901 1903
1902 1904 adrm_int32(adr, &xid, 1);
1903 1905 adrm_int32(adr, &uid, 1);
1904 1906 skip_string(adr);
1905 1907
1906 1908 if (flags & M_USERE) {
1907 1909 if (m_usere == uid)
1908 1910 checkflags = checkflags | M_USERE;
1909 1911 }
1910 1912
1911 1913 return (-1);
1912 1914 }
1913 1915
1914 1916
1915 1917 /*
1916 1918 * Format of xclient token:
1917 1919 * xclient id adr_int32
1918 1920 */
1919 1921 int
1920 1922 xclient_token(adr_t *adr)
1921 1923 {
1922 1924 int32_t client_id;
1923 1925
1924 1926 adrm_int32(adr, &client_id, 1);
1925 1927
1926 1928 return (-1);
1927 1929 }
1928 1930
1929 1931 /*
1930 1932 * Format of privilege set token:
1931 1933 * priv_set type string
1932 1934 * priv_set string
1933 1935 */
1934 1936
1935 1937 int
1936 1938 privilege_token(adr_t *adr)
1937 1939 {
1938 1940 skip_string(adr); /* set type name */
1939 1941 skip_string(adr); /* privilege set */
1940 1942 return (-1);
1941 1943 }
1942 1944
1943 1945 /*
1944 1946 * Format of security flags token:
1945 1947 * security flag set string
1946 1948 * security flags string
1947 1949 */
1948 1950
1949 1951 int
1950 1952 secflags_token(adr_t *adr)
1951 1953 {
1952 1954 skip_string(adr); /* set name */
1953 1955 skip_string(adr); /* security flags */
1954 1956 return (-1);
1955 1957 }
1956 1958
1957 1959 /*
1958 1960 * Format of label token:
1959 1961 * label ID 1 byte
1960 1962 * compartment length 1 byte
1961 1963 * classification 2 bytes
1962 1964 * compartment words <compartment length> * 4 bytes
1963 1965 */
1964 1966 int
1965 1967 label_token(adr_t *adr)
1966 1968 {
1967 1969 static m_label_t *label = NULL;
1968 1970 static size32_t l_size;
1969 1971 int len;
1970 1972
1971 1973 if (label == NULL) {
1972 1974 label = m_label_alloc(MAC_LABEL);
1973 1975 l_size = blabel_size() - 4;
1974 1976 }
1975 1977
1976 1978 if (label == NULL) {
1977 1979 /* out of memory, should never happen; skip label */
1978 1980 char l; /* length */
1979 1981
1980 1982 adr->adr_now += sizeof (char);
1981 1983 adrm_char(adr, (char *)&l, 1);
1982 1984 adr->adr_now += sizeof (short) + (4 * l);
1983 1985 return (-1);
1984 1986 }
1985 1987
1986 1988 adrm_char(adr, (char *)label, 4);
1987 1989 len = (int)(((char *)label)[1] * 4);
1988 1990 if (len > l_size) {
1989 1991 return (-1);
1990 1992 }
1991 1993 adrm_char(adr, &((char *)label)[4], len);
1992 1994
1993 1995 if (flags & M_LABEL) {
1994 1996 if (blinrange(label, m_label))
1995 1997 checkflags = checkflags | M_LABEL;
1996 1998 }
1997 1999
1998 2000 return (-1);
1999 2001 }
2000 2002
2001 2003
2002 2004 /*
2003 2005 * Format of useofpriv token:
2004 2006 * success/failure adr_char
2005 2007 * privilege(s) adr_string
2006 2008 */
|
↓ open down ↓ |
1972 lines elided |
↑ open up ↑ |
2007 2009 /* ARGSUSED */
2008 2010 int
2009 2011 useofpriv_token(adr_t *adr)
2010 2012 {
2011 2013 char flag;
2012 2014
2013 2015 adrm_char(adr, &flag, 1);
2014 2016 skip_string(adr);
2015 2017 return (-1);
2016 2018 }
2019 +
2020 +/*
2021 + * Format of access_mask token:
2022 + * access_mask adr_u_int32
2023 + */
2024 +int
2025 +access_mask_token(adr_t *adr)
2026 +{
2027 + uint32_t access;
2028 +
2029 + adrm_u_int32(adr, &access, 1);
2030 + return (-1);
2031 +}
2032 +
2033 +/*
2034 + * Format of wsid token:
2035 + * wsid adr_string
2036 + */
2037 +int
2038 +wsid_token(adr_t *adr)
2039 +{
2040 + if ((flags & M_OBJECT) != 0 && (obj_flag == OBJ_WSID)) {
2041 + char *sid;
2042 +
2043 + get_string(adr, &sid);
2044 + if (strncmp(wsid, sid, 256) == 0) /* SMB_SID_STRSZ */
2045 + checkflags |= M_OBJECT;
2046 + free(sid);
2047 + } else {
2048 + skip_string(adr);
2049 + }
2050 + return (-1);
2051 +}
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX